OpenSSH 漏洞修复

1.首先创建openssh 最新版rpm包：
#定制OpenSSH 8.6 RPM
#安装编译工具及需要的依赖包
[root@pengxi_test] yum -y install rpm-build gcc make openssl  openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel gtk2-devel
[root@pengxi_test] mkdir /root/openssh
#创建 rpmbuild默认配置路径(运行程序的家目录下root)
[root@pengxi_test] cd /root/
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
tar xf openssh-8.6p1.tar.gz
mkdir -p rpmbuild/{SOURCES,SPECS,RPMS,SRPMS,BUILD,BUILDROOT}
cp openssh-8.6p1/contrib/redhat/openssh.spec rpmbuild/SPECS/
cp openssh-8.6p1.tar.gz rpmbuild/SOURCES/
#BUILD，存放源代码解压以后的文件，自己无需操作，只需要提供build目录
#RPMS，存放制作完成的RPM包，此目录下会有子目录
#SOURCES，存放收集的原材料和配置文件，源码包，补丁包
#SPECS，存放spec文件，每个rpm包的制作，都必须要有一个spec文件，用来指导文件。此文件以软件包的名字命名，以spec为扩展名
#SRPMS，src格式的rpm包的存放位置。无平台相关的概念
#链接：https://www.jianshu.com/p/0882b0502960
[root@pengxi_test] cd rpmbuild/SPECS/
#修改12和15行将0改为1， 是否生成 x11-askpass、gnome-askpass两个RPM包。可以不选，不选的话就不要 x11-ssh-askpass-1.2.4.1.tar.gz 包；
#sed  -i  -e  “s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g”    openssh.spec
#sed  -i  -e  “s/%global no_x11_askpass 0/%global no_x11_askpass 1/g”    openssh.spec

#修改103行，注释该行，检测openssl版本的，否则构建时会出现报错
#sed -i  -e  “s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g” openssh.spec

[root@pengxi_test] rpmbuild -bb openssh.spec
[root@pengxi_test] ls -l /root/rpmbuild/RPMS/x86_64

打包升级rpm相关包及脚本：

2.升级openssh包
[root@pengxi_test] tar -xf openssh-8.6p1.tar.gz && cd openssh-8.6p1/
[root@pengxi_test] ./update_ssh.sh
#!/bin/bash

cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
cp /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id.bak
yum -y localinstall ls depends/*.rpm
yum -y localinstall ls openssh/*.rpm
chmod 600 /etc/ssh/ssh_host_ed25519_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_rsa_key

rm -rf /etc/pam.d/sshd
mv /etc/pam.d/sshd.bak /etc/pam.d/sshd
cp /usr/bin/ssh-copy-id.bak /usr/bin/ssh-copy-id
sed -i ‘18,20s/#//’ /etc/ssh/sshd_config
sed -i ‘57s/#//;61s/#//;98s/#//’ /etc/ssh/sshd_config
sed -i ‘s/#UsePAM no/UsePAM yes/g’ /etc/ssh/sshd_config
#sed -i ‘s/#Port 22/Port 22/g’ /etc/ssh/sshd_config
sed -i ‘s/#PermitRootLogin…*/PermitRootLogin yes/g’ /etc/ssh/sshd_config
#sed -i ‘s/#ListenAddress 0.0.0.0/ListenAddress 0.0.0.0/g’ /etc/ssh/sshd_config
#sed -i ‘s/#ListenAddress ::/ListenAddress ::/g’ /etc/ssh/sshd_config
#sed -i ‘s/#PasswordAuthentication yes/PasswordAuthentication yes/g’ /etc/ssh/sshd_config
#sed -i ‘s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g’ /etc/ssh/sshd_config
systemctl start sshd
/sbin/chkconfig sshd on
#setenforce 0
#sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/g’ /etc/selinux/config
clear
echo -e “\033[31m”------ upgradeSSH finished ------" \033[0m"
ssh -V